perfSONAR User Q&A and Other Discussion

["Garnizov, Ivan" <>]

Hi Roderick,

Denyhost and alike (fail2ban) do not save you from bot "chinese" (small 
letter since I have nothing against the people themselves) attacks, 
especially from weekly reoccurring attacks. I had experienced such attacks 
and I still keep logs of synchronized attempts to guess the username and 
password. 


Best regards,
Ivan Garnizov FAU Erlangen


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Roderick Mooi
Sent: 16 октомври 2013 г. 11:41 ч.
To: Amit
Cc: 
<>;
 
<>
Subject: [perfsonar-user] Re: [perf-node-users] Perfsonar Server got hacked 
(non root user)

Hi Amit

I have installed "denyhosts" on my servers to prevent/deter brute force 
attacks. "fail2ban" is another option....

Best regards,

Roderick

>>> On 2013-10-11 at 01:14, Shawn McKee 
>>> <>
>>>  wrote:
> I think we should make sure the services that are used to make network 
> measurements and provide diagnostic capability remain open.
> 
> If the /etc/hosts.allow is configured not to mess with those services 
> I think it could be helpful to secure the nodes.
> 
> Perhaps adding some iptables limitations on ssh would be in order.  We 
> use something like this on certain servers to limit the frequency 
> someone can try to login via ssh:
> 
> # Drop repeated ssh connection attempts within 20 seconds interval # 
> ssh throttling -A INPUT -p tcp -m tcp -m state -m recent --dport ssh 
> --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource -A 
> INPUT -p tcp -m tcp -m state -m recent --dport ssh --state NEW -j 
> ACCEPT  --set --name THROTTLE --rsource
> 
> If you don't allow passwords via ssh you don't even need this (but 
> make sure you protect your keys if that is what you do allow).
> 
> Shawn
> 
> 
> 
> 
> On Thu, Oct 10, 2013 at 6:51 PM, Jim Warner 
> <>
>  wrote:
> 
>> It seems to me that encouraging addition of an /etc/hosts.allow file 
>> to perfsonar installations would be a good idea. Even if you don't 
>> leave ssh enabled most of the time, it's nice to have the restriction 
>> there if you turn it on. And, for CD-ROM users, it appears that the 
>> file is remembered are restored across reboots.
>>
>> -jim
>>
>>
>>
>> On Thu, Oct 10, 2013 at 9:58 AM, Brian Tierney 
>> <>
>>  wrote:
>>
>>>
>>> Maybe just a brute force password attack that succeeded? Did you 
>>> have a good password on that system?
>>>
>>>
>>> On Oct 10, 2013, at 9:21 AM, Amit 
>>> <>
>>>  wrote:
>>>
>>> > Hi,
>>> >
>>> > No sudo ability to this user. Also no other user account hacked. 
>>> > Not
>>> even any service got disrupted or misused.
>>> >
>>> > Thanks
>>> > Amit
>>> >
>>> >
>>> > Sent from my HTC
>>> >
>>> > ----- Reply message -----
>>> > From: "Aaron Brown" 
>>> > <>
>>> > To: "Amit" 
>>> > <>
>>> > Cc: 
>>> > "<>"
>>> >  <
>>> >,
>>>  
>>> "<>"
>>>  < 
>>> >
>>> > Subject: [perf-node-users] Perfsonar Server got hacked (non root 
>>> > user)
>>> > Date: Thu, Oct 10, 2013 8:22 pm
>>> >
>>> >
>>> > Hey Amit,
>>> >
>>> > So this user broke into your 'admin' account, and not root, bwctl,
>>> perfsonar, other user accounts? Did this account have sudo ability?
>>> >
>>> > Cheers,
>>> > Aaron
>>> >
>>> > On Oct 10, 2013, at 10:47 AM, Amit 
>>> > <<mailto:
>>> >>
>>>  wrote:
>>> >
>>> > Hi,
>>> >
>>> > Today I could not ssh to my perfsonar servers (two) using a user
>>> account. When I login to server I identified that my linux user got 
>>> compromised somehow from internet.
>>> >
>>> > I could see the ssh connection from an internet IP to my server. 
>>> > Also
>>> crontab entry for that user got changed. Please find below detail
>>> >
>>> > 4344 ?        Ss     0:10 ps HOSTNAME=Perf-Delhi TERM=xterm
>>> SHELL=/bin/bash HISTSIZE=1000 SSH_CLIENT=201.231.245.195 4158 22
>>> SSH_TTY=/dev/pts/0 USER=admin
>>> 
> LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=4
> 0;33;01 
> :cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=
> 30;42:o 
> w=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01
> ;31:*.l
> zh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.
> Z=01;31
> :*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*
> .tbz2=0 
> 1;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.
> ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*
> .jpeg=0
> 1;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:
> *.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;
> 35:*.sv
> gz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:
> *.m2v=0
> 1;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vo
> b=01;35 
> :*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;3
> 5:*.flc
> =01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:
> *.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;3
> 5:*.ogv 
> =01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.m
> idi=01; 
> 36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01
> ;36:*.a
> xa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:
>>> MAIL=/var/spool/mail/admin PATH=. PWD=/home/admin/.?/.? 
>>> LANG=en_US.UTF-8 HISTCONTROL=ignoredups SHLVL=3 HOME=/home/admin 
>>> LOGNAME=admin
>>> SSH_CONNECTION=201.231.245.195 4158 14.139.5.202 22 
>>> LESSOPEN=|/usr/bin/lesspipe.sh %s G_BROKEN_FILENAMES=1 _=./ps
>>> >
>>> > Also the hacker installed some script in my user home directly and 
>>> > was
>>> trying to connect to IRC port 6667 and was also listening some tcp 
>>> and udp port.
>>> >
>>> > Iptables is already running on my server, I could not identify the 
>>> > root
>>> cause for this. I have deleted all the data from home directly and 
>>> also crontab entry.
>>> >
>>> > Please help me out.
>>> >
>>> > --
>>> > Thanks & Regards
>>> >
>>> > Amit Kumar
>>> > Scientific Officer
>>> > Operation and Routing Group
>>> > M/O Communication and IT, NIC, A- Block, CGO Complex, New Delhi 
>>> > Ph. +911122900332, NKN VoIP:5032
>>> >
>>> >
>>>
>>>
>>
> 
> --
> This message is subject to the CSIR's copyright terms and conditions, 
> e-mail legal notice, and implemented Open Document Format (ODF) standard.
> The full disclaimer details can be found at 
> http://www.csir.co.za/disclaimer.html.
> 
> This message has been scanned for viruses and dangerous content by 
> MailScanner, and is believed to be clean.
> 
> Please consider the environment before printing this email.

--
This message is subject to the CSIR's copyright terms and conditions, e-mail 
legal notice, and implemented Open Document Format (ODF) standard. 
The full disclaimer details can be found at 
http://www.csir.co.za/disclaimer.html.

This message has been scanned for viruses and dangerous content by 
MailScanner, and is believed to be clean.

Please consider the environment before printing this email.